JP2023149712A - On-vehicle device and log management method - Google Patents

Abstract

To provide an on-vehicle device to acquire proper log information.SOLUTION: An on-vehicle device of the present invention is configured to: receive, from a server, a log acquisition requirement including an abnormality detection place part defining an abnormality detection place and a log acquisition part representing a log for acquiring when detecting abnormality in the abnormality detection place defined with the abnormality detection place part; store the log acquisition requirement; detect abnormality of a vehicle; acquire the log based on a place in which the abnormality is detected upon detection of the abnormality and the stored log acquisition requirement; and send the acquired log to the server.SELECTED DRAWING: Figure 1

Description

The present disclosure relates to an in-vehicle device and a log management method.

In recent years, there is a technology for collecting abnormality detection information and log information from vehicles (for example, Patent Document 1). This makes it possible to collect log information for the causes and countermeasures of abnormalities caused by cyber attacks on vehicles.

Japanese Patent Application Publication No. 2018-032254

In cases such as when the pattern of the above-mentioned cyber attack changes, it is not possible to collect appropriate log information simply by uniformly collecting the same type of log information.

This disclosure aims to collect appropriate log information.

An in-vehicle device according to the present disclosure is an in-vehicle device that is capable of communicating with a server and is installed in a vehicle, and includes an anomaly detection location part that specifies one or more anomaly detection locations, and an anomaly detected by the anomaly detection location part. a receiving unit that receives log acquisition requirements from the server, including a log acquisition part indicating one or more logs to be acquired when an abnormality is detected at a detection location; a storage unit that stores the log acquisition requirements; and a vehicle abnormality. a log acquisition unit that acquires logs based on the location where the abnormality is detected and the log acquisition requirements stored in the storage unit when an abnormality is detected by the detection unit; and a transmitting unit that transmits the log acquired by the unit to the server.

According to the in-vehicle device according to the present disclosure, appropriate log information can be efficiently collected.

FIG. 1 is a schematic configuration diagram showing an example of a system according to this embodiment. FIG. 2 is a diagram illustrating an example of log acquisition requirements according to the present embodiment. FIG. 3 is a diagram showing an example of data stored by the management unit according to the present embodiment. FIG. 4 is a diagram illustrating the log collection method according to this embodiment. FIG. 5 is a flowchart showing the log acquisition requirement generation processing procedure according to this embodiment. FIG. 6 is a flowchart showing the log information acquisition processing procedure. FIG. 7A is a diagram for explaining a log acquisition target determination method according to this embodiment. FIG. 7B is a diagram for explaining a log acquisition target determination method according to a modification. FIG. 8A is a diagram for explaining an example of an abnormality detection pattern according to a modification. FIG. 8B is a diagram for explaining an example of log acquisition targets according to the modification. FIG. 9A is a diagram illustrating an example of a control message according to a modification. FIG. 9B is a diagram illustrating an example of controlling according to a control message according to a modification. FIG. 10A is a diagram illustrating an example of log acquisition requirements according to a modification. FIG. 10B is a diagram illustrating an example of changing the priority according to the modification. FIG. 11A is a diagram illustrating an example of log acquisition requirements according to a modification. FIG. 11B is a diagram illustrating an example of log acquisition requirements according to a modification.

(Embodiment)
Embodiments will be described using drawings.

(System configuration example)
FIG. 1 is a schematic configuration diagram showing an example of a system according to an embodiment. This system includes a monitoring center 1 and a vehicle 2. The monitoring center 1 and the vehicle 2 can send and receive information to and from each other via the network.

The monitoring center 1 is a system that manages the status of a plurality of vehicles 2. The monitoring center 1 is an information processing device such as a server device. The monitoring center 1 acquires abnormality detection information from the vehicle 2, identifies an attack location based on the content of the abnormality detection, and determines a log acquisition target according to the attack location. The monitoring center 1 transmits the attack location and the log acquisition target to the vehicle 2. Thereby, the monitoring center 1 can instruct the vehicle 2 about the type of log to be acquired.

Vehicle 2 controls the driving operation of vehicle 2. Further, the vehicle 2 includes a plurality of ECUs (Electronic Control Units), and when an abnormality is detected by monitoring the plurality of ECUs, log information is acquired and the log information is transmitted to the monitoring center 1. Furthermore, the vehicle 2 acquires log information based on the type of log to be acquired acquired from the monitoring center 1 .

The monitoring center 1 includes a reception section 11 , an event management section 12 , an attack determination section 13 , a display section 14 , and an output section 15 . The receiving unit 11 receives information regarding abnormality detection (event) from the vehicle 2 . The receiving unit 11 acquires the type of ECU in which the abnormality has occurred and log information of the ECU, etc. in which the abnormality has occurred, as information regarding the abnormality detection.

The event management unit 12 is a storage unit that stores information acquired from the vehicle 2. The attack determination unit 13 identifies an attack pattern based on information stored in the event management unit 12. For example, when the attack determination unit 13 receives abnormality detection of the ECU 3 and the ECU 4 from the vehicle 2, it identifies ECU 1 → ECU 2 → ECU 3 → ECU 4 as the attack path based on the connection relationship between the ECUs. Note that a known technique can be applied to the method of identifying the attack route.

The display unit 14 is a display means that displays various information. The display unit 14 displays information stored in the event management unit 12 and the determination result by the attack determination unit 13.

The output unit 15 transmits log acquisition requirements indicating log acquisition targets based on the determination result by the attack determination unit 13 to the vehicle. Here, an example of the log acquisition requirement data transmitted by the output unit 15 will be explained using FIG. 2. The data transmitted by the output unit 15 is an example of log acquisition requirements. The output unit 15 transmits the abnormality detection pattern and the log acquisition target based on the abnormality detection pattern to the vehicle 2 as log acquisition requirement data.

Returning to FIG. 1, the vehicle 2 includes a control section 21, an ECU 22, a management section 23, and an update section 24. The control unit 21, the ECU 22, the management unit 23, and the update unit 24 are installed in the vehicle. Therefore, the control unit 21, the ECU 22, the management unit 23, and the update unit 24 are examples of in-vehicle devices. The control unit 21 controls a plurality of ECUs 22 (for example, ECU 22a, ECU 22b, . . . ). The control unit 21 is, for example, an ECU that provides a security function. Upon receiving from the ECU 22 that an abnormality has been detected, the control unit 21 specifies a log acquisition target based on the content managed by the management unit 23, acquires log information of the log acquisition target, and sends it to the monitoring center. Send log information to 1. Note that each device may be an individual device, or may be a device with multiple functions, such as the control section 21, management section 23, and update section 24 being included in the same device.

The ECU 22 includes a log acquisition section 221 and an abnormality detection section 222. The log acquisition unit 221 acquires log information in response to instructions from the control unit 21. The abnormality detection unit 222 detects an abnormality occurring within the ECU 22. When detecting an abnormality, the abnormality detection unit 222 transmits a notification to the control unit 21 that the abnormality has been detected.

The management unit 23 is a storage unit that manages log acquisition requirement data received from the monitoring center 1. Here, an example of the log acquisition requirement data stored by the management unit 23 will be described using FIG. 3. As shown in FIG. 3, the management unit 23 stores abnormality detection patterns, log acquisition targets, and priorities. Here, the priority is the number of times log acquisition requirement data of the same combination of abnormality detection pattern and log acquisition target is received.

Returning to FIG. 1, the update unit 24 stores the log acquisition requirement data received from the monitoring center 1 into the management unit 23. Note that the update unit 24 may edit the log acquisition requirement data stored in the management unit 23.

Next, the log collection method of the monitoring center 1 will be explained using FIG. 4. In the vehicle 2a, when the log acquisition requirements are undefined, the abnormality occurring ECU and its adjacent ECU are to be logged. First, the vehicle 2a detects an abnormality in the ECU 22c and the ECU 22d. In the vehicle 2a, when an abnormality is detected in the ECU 22c and the ECU 22d (ECU 3 and ECU 4), the control unit 21 of the vehicle 2a acquires log information of the ECU 22b, ECU 22c, ECU 22d, and ECU 22e based on the above conditions. The control unit 21 of the vehicle 2a transmits to the monitoring center 1 the fact that an abnormality has been detected in the ECU 22c and the ECU 22d (the abnormality detection location) and the log information of the ECU 22b, the ECU 22c, and the ECU 22d.

The monitoring center 1 receives an abnormality detection location and log information based on the abnormality detection location from the vehicle 2a. The monitoring center 1 determines an attack route by referring to abnormality detection points received from the vehicle 2a and other vehicles 2 and log information based on the abnormality detection points. When the monitoring center 1 determines that the attack route is ECU1 → ECU2 → ECU3 → ECU4, and the abnormality detection pattern (abnormality detection location) is ECU3 and ECU4, the monitoring center 1 creates log acquisition requirement data that specifies the log acquisition target is ECU1 to ECU4. is transmitted to vehicle 2 (for example, vehicle 2b).

In the vehicle 2b, when an abnormality is detected in the ECU 22c and the ECU 22d, the abnormality detection pattern has the highest priority among the log acquisition requirements for the ECU 3 and the ECU 4, that is, the log acquisition requirement that the log acquisition target is ECU 1 to ECU 4 is the highest. , when the number of times the log acquisition requirements are received from the monitoring center 1 is the largest, the control unit 21 of the vehicle 2b acquires log information from the ECUs 1 to 4.

Next, the processing procedure by which the monitoring center 1 generates log acquisition requirements will be explained using FIG. 5. FIG. 5 is a flowchart showing the log acquisition requirement generation processing procedure.

As a premise, it is assumed that the event management unit 12 stores events in which abnormality detection locations are associated with log information. First, the attack determination section 13 acquires an event to be determined as an attack from the event management section 12 (step S1). Subsequently, the attack determination unit 13 estimates an attack route based on the event (step S2). The attack determination unit 13 outputs the abnormality detection pattern of the event, the attack route, and the vehicle type information to the output unit 15 (step S3).

The output unit 15 transmits the abnormality detection pattern and the log acquisition target (attack route) as log acquisition requirements to the vehicle 2 of the vehicle type corresponding to the received vehicle type information (step S4). Note that the update unit 24 of the vehicle 2 receives the log acquisition requirements and stores the received log acquisition requirements in the management unit 23.

Next, a processing procedure in which the vehicle 2 acquires log information based on log acquisition requirements will be described using FIG. 6. FIG. 6 is a flowchart showing the log information acquisition processing procedure.

The abnormality detection unit 222 transmits a notification to the effect that an abnormality has been detected (an abnormality detection result) to the control unit 21 (step S11). The control unit 21 receives the abnormality detection result and understands the abnormality detection pattern (step S12). The control unit 21 refers to the management unit 23 and acquires the log acquisition requirement with the highest priority, that is, the log acquisition requirement that has been received the most times, among the log acquisition targets corresponding to the abnormality detection pattern (step S13).

The control unit 21 acquires the log information of the log acquisition target of the acquired log acquisition requirements (step S14), and transmits the abnormality detection result and the log information to the monitoring center 1 (step S15).

In the embodiment described above, the vehicle 2 receives the log acquisition requirements including the abnormality detection pattern and the log acquisition target, and stores the log acquisition requirements. When the vehicle 2 detects an abnormality in the vehicle 2, it acquires a log based on log acquisition requirements corresponding to the detected abnormality, and transmits the acquired log to the monitoring center 1.

In this way, the vehicle 2 stores log acquisition requirements in advance and acquires logs based on the log acquisition requirements corresponding to the detected abnormality, so that appropriate log information can be collected.

(Modified example)
In the above embodiment, as shown in FIG. 7A, when the ECU 3 and the ECU 4 detect an abnormality, the vehicle 2 refers to the management unit 23 and selects the received log from among the log acquisition targets corresponding to the abnormality detection pattern. Get the log retrieval requirements that occur most often. Note that the present invention is not limited to this, and the vehicle 2 may acquire the logs of the log acquisition requirements that have the highest number of receptions (for example, the third) among the log acquisition targets corresponding to the abnormality detection pattern. You can also do this.

For example, as shown in FIG. 7B, the vehicle 2 refers to the log acquisition requirements that have been received up to the third time among the log acquisition targets corresponding to the abnormality detection pattern, and sets the log acquisition targets to ECU1 to ECU5. You can also do this.

Furthermore, in the above-described embodiment, a case has been described in which the vehicle 2 transmits the ECU 22 that has detected an abnormality to the monitoring center 1 as an abnormality detection pattern, but information on the type of abnormality may be transmitted as an abnormality detection pattern. . Then, the monitoring center 1 may specify an attack pattern based on the abnormality detection pattern including information on the abnormality type acquired from the vehicle 2, and specify a log acquisition target corresponding to the attack pattern.

Here, an example of an abnormality detection pattern is shown in FIG. 8A. As shown in FIG. 8A, the abnormality detection pattern is not limited to the ECU, but may include the ECU plus the abnormality type. Alternatively, only the abnormality type may be used as the abnormality detection pattern.

Furthermore, in the above-described embodiment, the monitoring center 1 describes the case where the log acquisition target is the ECU, but the monitoring center 1 may acquire logs of other information. Here, FIG. 8B shows an example of log acquisition targets. As shown in FIG. 8B, the log acquisition target is not limited to the ECU, but may include the ECU plus the log type. Alternatively, only log types may be targeted for log acquisition.

Further, although not specifically mentioned in the above embodiment, the monitoring center 1 may output a control message regarding log acquisition requirements. Here, FIG. 9A shows an example of a control message. The control message is data that associates an abnormality detection pattern, a log acquisition target, and a control MSG. The control MSG indicates control processing content, and in the example of FIG. 9A, indicates a deletion instruction. When the monitoring center 1 transmits the control message shown in FIG. 9A, the vehicle 2 receives the control message, and the updating unit 24 of the vehicle 2 updates the control message as shown in FIG. 9B based on the control message. Delete the log acquisition requirements corresponding to the anomaly detection pattern and log acquisition target.

In this way, the monitoring center 1 can leave only appropriate log acquisition requirements in the vehicle 2 by transmitting a control message and having the vehicle 2 edit log acquisition requirements that are assumed to be unnecessary. In addition to the deletion instruction, the control processing content of the control message may include specifying a priority level or switching an algorithm. Algorithm switching refers to switching the log acquisition target determination algorithm.

Furthermore, in the above-described embodiment, the vehicle 2 stores the number of receptions in the log acquisition requirements, but the monitoring center 1 transmits information with reliability attached to the vehicle 2 as shown in FIG. 10A. You may also do so. Then, the vehicle 2 may add the acquired reliability to the priority of the stored record from which the abnormality detection pattern/log is to be acquired.

In this way, the system sets reliability for the combination of anomaly detection pattern and log acquisition target, and the vehicle 2 selects the most appropriate log acquisition target for the abnormality detection pattern based on the reliability. be able to.

Moreover, although the case has been described in which the monitoring center 1 sets the combination of the abnormality detection pattern and the log acquisition target by determining the attack pattern, the operator of the monitoring center 1 may define the combination. For example, as shown in FIG. 11A, the operator of the monitoring center 1 may define log acquisition requirements for all abnormality detection patterns, setting the log acquisition targets to ECU1 and ECU2 and giving the highest priority. good.

In this case, the log acquisition requirements set by the operator can also be transmitted, and more comprehensive log acquisition requirements can be provided to the vehicle 2. Alternatively, by providing log acquisition requirements that target the logs of specific ECUs, it is possible to acquire logs according to the operator's intentions, such as focusing on monitoring and analyzing attacks on specific ECUs. Become. Further, by combining the above-mentioned log monitoring requirements including the control message, the log acquisition requirements can be set flexibly.

Further, the monitoring center 1 may send a plurality of pieces of information on log acquisition requirements to the vehicle 2 at once, as shown in FIG. 11B.

Regarding the above embodiments, the following will be disclosed.
A log acquisition method executed by an in-vehicle device installed in a vehicle that can communicate with a server,
A log including an anomaly detection location part that specifies one or more anomaly detection locations, and a log acquisition part that indicates one or more logs to be obtained when an abnormality is detected at the anomaly detection location specified by the anomaly detection location part. receiving acquisition requirements from the server;
Store the log acquisition requirements,
detecting an abnormality in the vehicle;
When an anomaly is detected, logs are acquired based on the location where the anomaly was detected and the stored log acquisition requirements,
Send the obtained log to the server,
Log acquisition method.

Although the embodiments of the present disclosure have been described above, the above-mentioned embodiments are presented as examples, and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, substitutions, and changes can be made without departing from the gist of the invention. These novel embodiments and modifications thereof are within the scope and gist of the invention, and are within the scope of the invention described in the claims and its equivalents. Furthermore, components of different embodiments and modifications may be combined as appropriate.

Furthermore, in the embodiments described above, the expression "...unit" means "...circuitry", "...assembly", "...device", "...unit", or , "...module" may be substituted with other notations.

In each of the above embodiments, the present disclosure has been explained using an example configured using hardware, but the present disclosure can also be realized by software in cooperation with hardware.

Furthermore, each functional block used in the description of each of the above embodiments is typically realized as an LSI, which is an integrated circuit. The integrated circuit may control each functional block used in the description of the above embodiments, and may include an input terminal and an output terminal. These may be integrated into one chip individually, or may be integrated into one chip including some or all of them. Although it is referred to as an LSI here, it may also be called an IC, system LSI, super LSI, or ultra LSI depending on the degree of integration.

Moreover, the method of circuit integration is not limited to LSI, and may be realized using a dedicated circuit or a general-purpose processor and memory. After the LSI is manufactured, an FPGA (Field Programmable Gate Array) that can be programmed or a reconfigurable processor that can reconfigure the connections or settings of circuit cells inside the LSI may be used.

Furthermore, if an integrated circuit technology that replaces LSI emerges due to advancements in semiconductor technology or other derivative technologies, it is natural that functional blocks may be integrated using that technology. Possibilities include the application of biotechnology.

Further, the effects in the embodiments described in this specification are merely examples and are not limited, and other effects may also be provided.

1 Monitoring center 2 Vehicle 11 Receiving section 12 Event management section 13 Attack determination section 14 Display section 15 Output section 21 Control section 22 ECU
23 Management Department 24 Update Department

Claims (17)

An in-vehicle device that can communicate with a server and is installed in a vehicle,
It includes an anomaly detection location part that specifies one or more anomaly detection locations, and a log acquisition part that indicates one or more logs to be obtained when an abnormality is detected at the anomaly detection location specified by the anomaly detection location part. a receiving unit that receives log acquisition requirements from the server;
a storage unit that stores the log acquisition requirements;
a detection unit that detects an abnormality in the vehicle;
a log acquisition unit that acquires a log when the detection unit detects an abnormality, based on the location where the abnormality is detected and the log acquisition requirements stored in the storage unit;
a transmitter that transmits the log acquired by the log acquirer to the server;
An in-vehicle device equipped with. 1 . The log acquisition unit determines the log to be acquired based on a priority set to the log acquisition requirement corresponding to the detected abnormality when there are a plurality of log acquisition requirements corresponding to the detected abnormality. The in-vehicle device described in . The in-vehicle device according to claim 1, wherein the abnormality detection part of the log acquisition requirement includes an ECU (Electronic Control Unit). The in-vehicle device according to claim 1 or 3, wherein the abnormality detection location portion of the log acquisition requirements includes information based on the type of abnormality. The in-vehicle device according to claim 1, wherein the log acquisition part of the log acquisition requirement includes an ECU log. The in-vehicle device according to claim 1 or 5, wherein the log acquisition part of the log acquisition requirement includes one based on a log type. The in-vehicle device according to claim 1, wherein the receiving unit acquires a control message for the log acquisition requirements, and edits the log acquisition requirements stored in the storage unit based on the control message. The log acquisition requirement further includes reliability information of the log acquisition requirement,
The log acquisition unit determines the log to be acquired based on reliability information of the log acquisition requirements corresponding to the detected abnormality when there are a plurality of the log acquisition requirements corresponding to the detected abnormality. in-vehicle equipment. A log management method executed on a server that can communicate with a vehicle,
receiving abnormality information from the vehicle, including an abnormality detection location portion indicating a location where an abnormality was detected from the vehicle, and a log based on the detection of the abnormality;
Based on the received abnormality information, identify a log acquisition part indicating a log corresponding to the abnormality,
A log management method comprising transmitting log acquisition requirements including the abnormality detection location and the log acquisition portion to a vehicle. The log management method according to claim 9, wherein the abnormality detection location portion of the log acquisition requirement includes an ECU. 11. The log management method according to claim 9, wherein the abnormality detection location portion of the log acquisition requirements includes information based on the type of abnormality. The log management method according to claim 9, wherein the log acquisition part of the log acquisition requirement includes an ECU log. 11. The log management method according to claim 9, wherein the log acquisition part of the log acquisition requirement includes one based on a log type. The log management method according to claim 9, further comprising transmitting a control message for the log acquisition requirements. 10. The log management method according to claim 9, wherein information indicating reliability of the log acquisition requirement is further included in the log acquisition requirement and transmitted. The log management method according to claim 9, wherein the log acquisition requirements are transmitted by external input. The log management method according to any one of claims 9 to 16, wherein a vehicle of the same type as the vehicle that received the abnormality information is the destination of the log acquisition requirements.

Images